The Global Head of Cyber Security for Huawei and the former UK Government CIO & CISO (2006-2011).

04/02/2015

The BBC reports today that "IFS says worst of UK spending cuts yet to come" and indeed no matter how you do the maths, what political party you support, if any, there is indeed a long way to go to recover the UK financial position.

Sadly listening to all political parties we seem to be in the throw ideas at the electorate and let's see if any of them sticks mode. There must be a better more systematic justifiable way for political parties to establish strategy over tactics and with this what should we protect and what could be cut. It is something that we have to do in business all of the time, yet sadly in my seven years at the heart of Government I did not see this.

In my last budgeting exercise in the Cabinet Office pre the last election, we were rightly asked to come up with options for cuts for the next year's budget; various scenarios were to be presented. Given that most of the costs were people related you didn't need to be a genius to recognise that sadly people must go. Every function within the Cabinet Office went through the same process. However there was never a conversation about strategy or Ministerial priorities, just getting to a required overall number. Salami slicing is not a strategy for success and yet this is what is still being postured by all parties, but there is another way. The reality is if we want citizens to understand why cuts are taking place, or investments being made, the process has to be inclusive, systematic, logical and communicated.

First of all sensible investments and cuts cannot be totally driven by the centre of Government, we need to include those doing the jobs, even if their views are biased. It is absolutely right for those in say the NHS, or the medical bodies to have a strong voice on what should happen, after all they do the job day in and day out. So a simple process:

Phase 1 – Line item costs in every part of the public sector

Each part of the public sector from their Minister, together with officials, associations, professional bodies should identify each core item of spend in their area – at a reasonable granular level. Saying GP's is too high level, or Bobbies on the beat is too high level. What we are asking them to do is to produce a list of items in priority order, their cost, and the value they create (if any)

As ever this list should be understandable, should identify the cost to the public purse and preferably the number of citizens it touches

This list will be used to compare and contrast with other items in other parts of the public sector.

Phase 2 – draw a line at the mandatory minimum set of requirements

For each part of the public sector they should now draw a line at the point which signifies the mandatory minimum set of services, and therefore costs. It has to be the minimum, nothing optional, the point at which the whole service fails. This does not mean this is all the money people will get. Involving stakeholders in this debate is important for understanding and buy-in.

We should be transparent, this should be published and a public debate should be promoted.

At this phase we are also doing quick calculations on what does the public sector "minimum" spend look like when we add up all of the "minimums"

Phase 3 – compare and contrast

At this point we are now asking if the items on the NHS list is more important than what is on the Defence list, or International Development list, in fact or all other spend items. Are we saying that fertility treatment is more or less important than community police officers or child benefit more important that elderly social care? Yes these are tough decisions but this is what strategy is about. What kind of country do we want to live in, how do we create that country with limited resources, what decisions do we need to make.

We also come back to the affordability question. This is where we iterate around progressively removing activity/ tasks/ services from the list to fit the budget cap we are working to.

Each one of these decisions should be defendable – "a" is more important than "b" because…

Phase 4 – thinking the unthinkable

We now have a set of public services that we deem important for the country in the medium to long term, but it still might not fit the funding envelope. It is not common for people to shy away from tough decisions and accept a "budget task". i.e. a saving we must make but we do not yet know how to. So now we must drive through on aggressive efficiency

Just because we say GP's cost £xbn doesn't mean they should get that money. We have to be innovative in our thinking. Why is it free? Why are there so few private GP's, why can't I buy my drugs online etc etc etc. Again for every part of the public sector it should be opened up to scrutiny and ideas for innovation.

When you are in cutting mode, it can be hard to switch to investment mode yet this must also be done. Not everyone can see the big international picture, not everyone can see the subtle yet important social or demographic changes that are occurring. Experts with business leaders must now consider the long term changes, what investments must we make now to lay the foundations for the next twenty years. What policies must we adopt to cater for future threats and opportunities?

If we could do anything like this I think at least we would see there is some logical thought to the planning of Government. At least we could see why we are investing and why we are not. At least people will feel their job, or service, or benefit has been kept or lost because of logical thought and not just some political ideology and you never know we might just have introduce a bit of strategy into the political world of tactics, spin and the sound bite.

03/12/2014

When we look around today it is fair to say that almost everything we see has been shaped by the combination of Governments, regulators, vendors and consumers continuously improving the products and services that we use.

Your trip to the office, or home or school or shop today regardless of by car, bus, cycling, and yes even walking has sustained many years of functional and safety innovations and improvements.

The room you are meeting in has been shaped by health and safety considerations on maximum room size versus the size of the exits to allow a timely escape in the event of an incident. The materials to build and furnish the room are tested for structural, wear, chemical and fire protection and performance.

But what has not gone through the same security improvements is the technology you are using. Your mobile phone, your tablet, your computer - They have gone through enormous technical changes, enormous, functional changes, and enormous cost improvements but sadly security has not followed this same improvement curve.

Consider this when you purchased your phone nowhere did it state any warning about security of your personal details or protection of your identity. Nowhere would you have been able to find a commonly accepted certificate of security conformity or security testing. Electricity – yes, environmental waste disposal probably, security, absolutely not.

So we should stop and ask ourselves why technology security has followed a different improvement trajectory.

First is the pace of change. It is sometimes hard to comprehend how technology has changed in such a short amount of time. The shelf life of products is short; the affects of Moore's law can be seen everywhere and because of this the cumulative impact of innovation built on innovation is breath-taking

This cumulative innovation impact makes technology more usable, more comprehensive, more available and at the same time a lot more complicated – simplification for the end-user equals increased complication for the technology vendor – and increased complexity does lead to increased security risk

Ubiquity has led to complacency. Today we take technology for granted. We do not really consider the power of what we are using, the interconnectedness of the device, the global supply chain that delivered the device and the experience and nor do we consider the amount of hands and prying eyes who have the ability to interact with our personal technology and the data we store

All of this leads to a lack of comprehensive knowledge of the technology by policy makers, regulators, buyers and users of technology. This lack of knowledge on how technology has been built, or should be built and what good security looks like leaves the buyer, whether it is a consumer an enterprise or a government helpless in deciding the good from the bad.

I started off by saying that the interplay between regulators, vendors and consumers have driven quality up, innovation up and price down. What is missing in technology is the knowledge of policy makers, regulators and buyers of technology to make informed decisions about security. This lack of knowledge manifests itself in the reality that few people are able to specify in any level of detail what security capability they want their vendors to have or build-in to the products and services they create. This in turn has not created the pressure on vendors to improve their security capability at a similar pace to that of functional, other quality and cost improvements – hence the divergence that has been created over many years.

Much good work is going on around the world to address cyber security laws but we must be realistic. It can be hard in a single country to introduce new laws. It is even harder in a region such as the EU with 28 member states; it is a lifetime journey to achieve some laws on an international scale. But we do not need laws to make progress. Good progress has been made on improving the standards and knowledge of users of ICT by the new versions of the ISO27000 standard, the work of NIST in the USA, the Open Group and ENISA in Europe. No work, as far as we can see, has been done to start the process of helping the ICT industry improve the inherent security of their products by creating the demand from buyers for better product security. To do this, buyers need to know what questions to ask of their vendors.

Today I have published our latest white paper and you can find it on our website here:

We are blessed as a company of operating in 170 countries and having customers using our technology who support over one third of the planets population. This global insight provides a richness of culture, a wide understanding of requirements and laws and a comprehensive view of the differing approach people take to managing risks. Our campus in Shenzhen, China, is home to over 30,000 employees and is also our headquarters. Here we host guests from around the globe on a continuous basis. Every day large numbers of customers, Politicians, Government officials, experts and the media come and visit. We show them our exhibition centres, our manufacturing, they sit down and talk with us, work with us and importantly eat with us and through this closeness we detail everything we do – not just on security.

From this intimacy and this openness we take our guests through the approach we take to end-to-end cyber security and from this we have captured their questions, their thoughts and their concerns. This knowledge has formed the basis of the Top 100 questions detailed in this white paper.

We set out to detail the most frequent non-technical questions we are asked by our customers and other stakeholders when it comes to cyber security. In this context, "most frequent" also means the ones that generate the most conversation or review or follow-up questions.

We have taken "poetic licence" to tweak the questions posed to us to make them generic. We have also added questions to reflect the latest issues, such as the Snowden revelations, and filled in any gaps in the questions to make each section cohesive. We fervently believe that the more demanding the buyer and the more consistent the buyers in asking for high quality security assurance the more likely the ICT vendors are to invest and raise their security standards.

Whilst this white paper is a start we are delighted to be working with the EastWest Institute (EWI) on cyber security. We are delighted to announce that the EastWest Institute has agreed to take this initial Top 100 and, using its extensive knowledge and networks, shepherd the evolution of updated and more tailored versions. We look forward to the Top 100 concept becoming an integral part of a buyer's approach and helping the ICT industry drive to greater improvements in product and service security design, development and deployment.

Together we can augment the quality of security considerations in technology products and services, and from this we can collectively do more to enrich people's lives through the use of ICT

30/11/2014

It has been interesting to read of the potential bid by British Telecom for EE, or O2, or both networks in the UK. I was also interested to see EE might undertake a counter bid for the O2 network. Regardless of who acquires whom two things we can be sure of. (1) There will always be consolidation and (2) rural customers will suffer.

Now I am assuming most of you will agree with number (1) but many of you might question the accuracy of number (2). Let me explain my logic, based purely on a single data-point the Suffolk household, based in the rural backwaters of a national park in the middle of England.

In the olden times, mobile broadband and telephony was good in the hills. Those signal strength bars where hopping around as if they were on steroids; O2 was good mainly outdoors; Orange was great and T-mobile more than delightful. Mobile broadband on Orange was a healthy 5mb. Vodafone not so good – you had to walk up the hillside and wait for the wind to blow in the right direction. None of the online maps represented any reality of coverage.

Then came the announced creation of EE, the networks started to intermingle and my wife on Orange and me on T-mobile, given the sad people we are, would stand and watch our phones happily roaming onto the other network.

Then the dreaded "optimisation" phase kicked in. For optimisation read cost cutting, read screwing existing customers, read going from three networks to none. The best we can get now is GPRS. No 3G which we had before, no mobile broadband – zip, nothing, de nada.

Customer service was fab…not. "We have taken down one mast" they would joyously tell us. "We are rebuilding the mast we have taken down" they would say to qualm our annoyance. "We have turned down the power on the remaining mast" they would say when they were being honest. "We will send you a femto cell" or "we can't send you a femto cell it doesn't work" to the many calls to them over the last twelve months.

Now we stand in the kitchen looking at our phones, like people stranded on a deserted island hoping for signs of rescue – a bar or two, the magical letters 3G….sadly my beard is longer, my legs and belly thinner (that's a complete lie), but still stranded.

Now the regulator Ofcom is useless. They have no interest in the consumer they positively and joyously promote optimisation, but more disappointingly block you doing anything about it. I am more than happy to build my own repeater station on the hill – but alas that is against the law as set by the regulator.

We demand Governments give more power to our masts so our signals are strong and give us the ability to take our lovely mobile signals in our own hands. Allow us to build repeaters in our villages, on our hillsides and on our rooftops.

We demand Governments force operators to protect rural networks, protect us digitally disadvantaged waifs by blocking the dreaded "optimisation" cost cutting. A rural network should never be reduced it should be increased at the same rate as metropolitan and city networks.

And what would be a cute idea is that masts et el become property of the people once installed and you need to get users permission before you downgrade a service. Call it an extension to local loop unbundling, but this time it is the end-user who is involved.

It won't happen of course so we will stand and stare at the dreaded GPRS signal on our phones looking back with fond memories to a time before mergers and acquisitions and the dreaded "optimisation".

18/10/2014

I have been intrigued to read many articles about the creation of a CEO for the Civil Service. Insiders, and many outside including me, have pondered how this change will work when you have the all powerful Cabinet Secretary and individual Permanent Secretaries reporting directly to their Secretary of State.

My assessment is that creating a CEO position is unlikely to yield much result on its own, but by other significant transformations and the bringing together of other changes introduced by the coalition Government could yield a Civil Service fit for the next period of our history.

First of all Permanent Secretaries in the Ministries are King, the CEO will have little real influence or say if the Secretary of State does not agree with the CEO. The Cabinet Secretary himself has always had a significant challenge in that whilst he has always been the most senior Civil Servant he does not control the Permanent Secretaries. So what should we do?

First of all it might be worth recapping on a number of themes:

The Civil Service is not renowned for its delivery skills, “failed x or y” is common reading. However it does have a brilliance in policy formulation – i.e. the theory behind solving complex problems

There is no concept of accountability in the Civil Service. If anything goes wrong the Secretary of State should fall on his/her sword, officials are “protected”. There is neither incentive for success nor disincentive for failure, mediocrity can reign supreme and you make it to the top by not making mistakes and therefore risk taking is not on the agenda

Politicians are not always interested or confident in delivery, because of what I have said above, they believe their main job is done when they make the policy announcement. Soiling ones hands is rife with career danger – think Universal Credit, think ID cards…

Policy delivery is a risk to officials as it means accountability. Writing a policy is a piece of cake in comparison to delivering the actual changes for say Universal Credit. When you assess the competence of all Civil Servants and Politicians when it comes to large scale change/ transformation skills and delivery experience, being diplomatic, I would say there is room for improvement

Parliament doesn’t have the data, structure or where-with-all to hold the executive, and civil service to account for complex transformations – at the beginning of policy formulation or the delivery of policy benefits such as improved education, health care etc.

This is not to say that the Civil Service does not do many great things, solve many complex problems or does not have great talented people, it does. The question to be answered is, does the structure, roles, acountabilities and governmence of the Civil Service position it for success in the future, my assessment is no.

So what could we do that addresses the challenges detailed above yet builds on the existing strengths of the Civil Service and builds on some of the changes the coalition government have already introduced. A manifesto of ten changes that could be adopted by any political party!

Split the Civil Service in two. One part for policy formulation. Governance as today with Permanent Secretaries supporting their Ministers to draft policy. Part two is all about policy execution, the transformation and the change to deliver the policies. Part two reports to the new CEO. Parts one and two report to the Cabinet Secretary.

On part two the delivery is undertaken by delivery experts from within the overall public sector and the private sector. The heads of the big delivery arms are capable CEO’s in their own right. They are supported by external boards and non executives (a change already introduced to some extent by Francis Maude). They are rewarded on successful delivery of policy outcomes. They are not fettered by salary and package limitations. Their tenure may be limited to the life of the overall transformation they are charged with undertaking, but a pool of delivery experts should be maintained.

On both parts undertake a full competence assessment of the Civil Servants. If you only have policy skills then you are assigned to part one. If you have more delivery (and appropriate experience) skills then you move to part two. For part one, reduce by 50% the number of employees and scrap all SCS 1 posts and flatten dramatically. You do not need three levels of Senior Civil Servant and many other grades for policy formulation. Part two should be structured using standard best practice for projects and programmes under the umbrella of a professional services company. The scale of change that you work on in part two is commensurate with your experience. i.e. you do not lead a £1bn transformation if you have only ever led a £1m project.

As part of the “splitting” process asses the structure of all of the Ministries/departments – do we need so many, especially as we still do not have much money to spend on new “ideas”? Target a reduction of 50%, consider creating “super Ministries”. Less Ministries, less Ministers, less Permanent Secretaries, less policy officials. Create a Governance model that supports the Cabinet Secretary and Government to get visibility and control of all activity. The Cabinet Secretary, CEO, Key NED’s key Permanent Secretaries (2 or 3), plus lead Ministers from Treasury and Number 10. Scrap the Cabinet Office – devolve to other departments such as Treasury and Home Office but create a Prime Minister’s Office- well formalise the PMO as it exists already. Drive clarity of roles and accountability.

When drafting policy it is done in three parts. What problem am I trying to solve (done by part one, the policy groups), how best to deliver the policy changes (done by part two, the delivery part) and overall benefits case done together. Both parts have to approve the Business Case.

It is for Parliament to debate the policy change, it is for the oversight committees to debate and hold to account for delivery. As part of the scrutiny full Business Cases should be published as should all ongoing delivery documentation – from audit reports, to health checks to risk registers etc. Full transparency throughout the process.

Parliamentary scrutiny committees should be revamped. Place on the committees experts from the field. It seems daft to me that a health committee does not have representatives from the health community on the committee – go for a third external experts. The NAO should focus on part two – is delivery on track, will delivery achieve the required policy outcomes agreed in the business case. Scrutiny committees should look to see how they can make the change successful not how best to ridicule the change.

Treasury should reaffirm at budget time (when the Chancellor stands up and presents the budget) every year the list of projects/changes on the major project/change list. If Treasury do not think the policy is now valid, or the delivery is not likely to occur, they should formally implement detailed reviews, reduce funding or scrap the project/ transformation in part or in full. Funding for programmes/projects/ changes should be on the basis of on-track delivery. Agreed financial benefits should be pre-booked in recipients future budgets. If a department says via this change I will save £100m per annum that money should be deducted from their budgets in the appropriate year - no more HMT siting on the fence, less chance of padding in the business case!

At the Cabinet Secretary level an overall Investment Review Board should formally review every business case. Agree with the Cabinet the priority of the changes – ensuring best resource is assigned to the most important change items. If projects/ changes cannot be resourced appropriately they should not be started at all.

All corporate functions such as finance, HR, ICT, procurement should be shared services and delivered under part two – it’s not about policy it’s about delivery.

Whoever wins the next election will have many many challenges and having a Civil Service that has not fundamentally changed for decades will be a hinderence not a recipe for success. The time for transformation not tinkering is now. We should take the opportunity

24/09/2014

In the UK we are fast approaching an election period and political parties are coming up with lofty ideas and policies to tempt the electorate to vote for them. It doesn’t seem that long since the last election, and from what I can see, policy thinking does not appear to have moved forward. Same old same old… But what is missing, again, is any sense of what problem the political party is trying to solve and what value the policy will create for the country and its citizens.

Let’s be clear policy pontificating has little to do with reality, it’s merely there to say “look at me I am a complete [please enter your own description]”.

I sense no vision being developed or articulated for the UK. What will, or should, the UK look like, feel like, behave like, perform like in ten and twenty years time? And then from this how will we get there – the strategy. What policies, what laws, what incentives/disincentives and of course what problems need to be solved.

Turning to problem analysis, those of you with a classical training in business will understand my point. Every political party has had its, how can I say, “challenged policies” where for the greatest brains on the planet no one had certainty what problem they were trying to solve and the value it would create. The previous administration had the ID cards: it’s for security, no it is for access to public services; no it is not, it is for students, no it is not, it is for actually all of the above. The current administration had the changes to the NHS, moving a large wad of cash to the frontline and removing all political involvement in the governance of the UK’s biggest public sector beast, and the value created to the tax-payer for this monumental shift, err dunno. What I do know is that I still cannot get an appointment with my GP, but I could probably go and get fertility treatment.

Parliament is no better. When do you actually hear a Minister or an opposition member asking the questions “what problem(s) are we trying to solve”, “what constraints are we having to work to”, “what are the best options to solve the problem(s) in the shortest timeframe for lowest cost and lowest risk”. Without this basic business analysis approach no wonder we spin our wheels addressing things that add no value, and at worse, spend money on doomed initiatives.

As for Parliamentary oversight committees they are fabulous for grandstanding but not much else. Civil servants are trained to give away as little as possible, not to engage in a conversation, claim things have moved on since the audit report, and if you ever get into difficult, just say you will write to the committee chair person – a maximum of 2 hours of pain, job done, career intact.

So in essence we end up with a situation where incoming Governments have a raft of policies that do not seem to solve a problem that anyone is interested in, a Parliament that doesn’t have the skill to effectively challenge the Government and an oversight regime that is ineffective. We should not be surprised that single issue politics engage the electorate (think UKIP) and the mainstream parties continue to scrabble around for sound bites to differentiate their position from the other main parties.

So what should we do? I will give it some thought and come up with some lofty ideas…

23/09/2014

I am saddened to see that changes to the trustworthy computing group within Microsoft. I have dealt with them for many years, first within the UK Government as the Government CIO and now at Huawei. Scott Charney and the team (some who have, over time, gone to pastures new) have developed a world class reputation for excellence in security.

They have been at the forefront of methodologies such as SDL, worked tirelessly to expand other technology vendor and user’s knowledge whilst at the same time dramatically improving the security quality of the Microsoft products.

I can see no real advantage to Microsoft changing this setup. I do not buy the “imbed within the product team argument” because that was already the process and model at Microsoft. What this change does is to take away the focal point for security and instead scatter responsibility. It says to me the new CEO has no or little interest in security. If that is the case then he can kiss goodbye to his cloud first strategy.

My advice, be brave, put it back together again, rather than destroy, reinvigorate the success story and continue to drive TwC to be a strong foundation on which Microsoft products and services are built.

03/01/2014

I was watching Jacob Applebaum’s presentation at the Chaos conference. It is well worth watching, you can see it here. Jacob is a passionate and talented man. This is a good presentation describing the latest revelations on the NSA’s bag of tricks. There are a few things that I would take issue with on the latest revelation and how it has been presented and written up.

First we need to be careful that we vent any frustration and anger in the right direction. Questioning the morality or legality of TAO misses the point. The hugely talented men and women who work in TAO and similar organisations around the world are doing what has been asked of them – to protect their country’s assets and reveal others – and they have proved world class at doing this although Jacob disagrees with the skill bit. If we have a problem with this then we should take it up with those that set the policy and the legal framework accepting as Jacob rightly points out politicians, policy makers and legislators have little understanding of technology, security and probably many other things.

In relation to my views I am quite clear I want my Government to have as much data as possible. I want them to have the tools, techniques and resources to mine this data to stop a terrible event from occurring – stopping one event is good enough for me. The alternative is we have to sift through the body parts once an event has occurred. Having said that I want the legal frameworks to be in place, I want transparency, I want oversight and I do not want my Government (or any Government) to cross the line and weaken security for all by building in backdoors, weakening crypto or any of the shenanigans that have occurred with the American tech Industry. The moment we confuse the role of the state in national security and the private sector in national security we are all doomed to a life where there are no holds barred – he or she with the deepest pockets and the greatest resources and brains wins the race to the bottom of the pit – there are only losers with this scenario.

Let us be clear there are no friends in national security just different levels of foe.

The next point I would make is that Der Spiegel and the authors such as Jacob gave no time to the vendor community to investigate the claims. This is not responsible disclosure and reporters should be as responsible to vendors as they are being to the NSA. It is fine for Jacob to say fuck them all or words to that effect (his language is quite fruity at times), but the impact of such a disclosure does not just impact on the vendors. Jacob requests that vendors go public with their statement on their involvement in the NSA. At Huawei we did this last October in my last White Paper, we said:

“Particularly, as the Deputy Chairman of the Board of Huawei and the Chairman of the Global Cyber Security Committee of Huawei, I would like to make our company’s position clear. We can confirm that we have never received any instructions or requests from any Government or their agencies to change our positions, policies, procedures, hardware, software or employment practices or anything else, other than suggestions to improve our end-to-end cyber security capability. We can confirm that we have never been asked to provide access to our technology, or provide any data or information on any citizen or organization to any Government, or their agencies.

We confirm our company’s unswerving commitment to continuing to work with all stakeholders to enhance our capability and effectiveness in designing, developing and deploying secure technology.”

However the key point I would take issue with over the reporting of the catalogue of marvellous toys for the NSA to deploy is that we make no distinction over the different importance of data. Let me explain:

My shopping list of bread, milk and a packet of three for the weekend is different to the access codes to my online bank account which again is different to the national database which holds our blood types which again is different to someone in the witness protection scheme is different again to the name of a spy in covert operation in a foreign country and is different again to the nuclear launch codes (if these things actually exist). The data has different sensitivity, some data is time bound, and some data threatens life if not kept confidential or becomes corrupt.

Technology is the same, not all technology is there to work at top secret level. The NSA catalogue of toys is there to break into any system, it doesn’t just look at the low level unclassified or personal data it looks to break into the Fort Knox equivalent of technology. Buyers of vendors hardware and software must determine what level of protection they want for the types of assets, or information, they are trying to protect. If they believe that what they are protecting has low value they may well specify lower security capability. If it has significant value or needs significant protection then the buyer is likely to specify higher security requirements – not all technology is born equal.

So if the NSA and other similar teams have the money, resource and capability to break into Top Secret systems that are guarded and protected to the highest levels that same team must have a reasonable chance of breaking into technology that has not been specified to the highest security standard or protected to the same level. It will not surprise anyone when I say that having no security is cheap (to buy, but not the consequences of any loss), having top secret security is not so cheap… actually it’s expensive and it isn’t just about hardware and software.

In summary we need a little more realism about what security agencies do and their capability to attack and breach the security of companies and Governments through any vendor’s equipment. No Government will demand that every technology system they operate runs at top secret. No Company will demand that every system they run is at top secret and few citizens will demand their phone, tablet, PC etc. runs at top secret… even if they could buy such stuff. So we should not be surprised that the NSA has a catalogue of tools and techniques to break into vendor’s equipment given this is what they do.

Finally what the revelations continue to bring home to everyone is that as a technology industry we must do better. Currently we have no collective idea what good looks like when it comes to security. There are no internationally agreed security standards; there are no agreed standards on product verification; there are no agreed internal laws or standards of behaviour for Governments to operate in the digital world.

In our view, it is paramount that the entire ecosystem of governments, industry and end-users step up to collectively work on the problems and challenges we will face in the future. In doing so we should consider:

The challenge of privacy in a digitised world: Given that much of our lives and business are online, with our data being globally distributed and processed in many countries by many technology vendors and governed under many different laws, we need strong and compatible legal frameworks, and globally-agreed rules of engagement and technology that support the protection of personal and business data.

Thorough risk assessment practices: With the increasing rate and speed at which devices and users connect to the internet, combined with the continuous development of technology, society exposes itself to ever-evolving threats as well. Technology cannot be secured to the point of satisfying everyone’s needs in every scenario. Strategic focus on a risk management approach that references the critical elements as described in our White Paper, and recognition of the fact that global networks rely on the global supply chain, are essential to enhancing cyber security.

Customer is king: Buyers of technology - be it governments, enterprises or consumers - should use their economic buying power to demand more from their technology vendors and service providers.

20/10/2013

I have just finished speaking at the Seoul cyber securityconference, perfectly and warmly hosted by the Republic of Korea Government.About 100 countries, plenty of Ministerial support as usual. Sadly theconversation does not appear to have moved on in many ways relating to “internationallaws, standards, behaviours”. In fact it is what most Ministers asked for, yetI assume it is their job... Correct me if I am wrong but I have not seen sincethe first conference in London some three years ago any G8, G20, UN or otherGovernment put this to the top of the list and say we are going to make thishappen. Perhaps with all of the Snowden revelations and the fact that someenterprises and some Governments no longer trust American Tech titans we mightsee more progress on this.

For our part at Huawei we are passionate about bringing theworld together to make progress on determining what does good end-to-end cybersecurity look like and implementing globally accepted standards to help buyershave more trust in what technology they are buying. To this end at the Seoulconference I launched a new white paper that documents how Huawei builds-incyber security requirements into its end-to-end processes - we would love yourviews on how we can improve on what we do.

14/06/2013

So the furore about PRISM is beginning to subside. What we know is that there is a programme; America does snoop, spy and hack in a large way and American Tech firms are complicit, but what next?

First the revelations are not over. We have seen around 4 slides from 25 and Snowden and the Newspapers are claiming there is a lot more to come. We have seen all of those involved going into denial first, nothing to see here, all legal blah blah blah. Then watering down (it isn't really as bad as you think…) and now they are into justification mode – it could have stopped this, that and the other. Regardless of your personal views the USA will never roll back their snoopers, spying and hacking clock – they have set out their stall and this is the way they intend to operate. The truth is American Technology companies have agreed to do this and have been an integral part of PRISM. Without them there is no PRISM – lots of other programmes, but not PRISM.

We should all ignore the fancy words, and the measured tone, as it was once put to me by a PR guru, "they are doing the shitty shoe shuffle". They have trodden in something unpleasant and are frantically scrapping and shuffling their shoes to get it off. However the stench of guilt is up their nose and everyone else's.

Europe has been aggressive in their tone that European citizens have been "targeted", one country at least has banned Google Apps – this is interesting as I assume that all the content of anything you store within Google apps are also available to the NSA – and many are still dissecting the language of the NSA and politicians. Remember I have said words matter and a word that you think you understand the meaning of is not necessarily the same definition of the USA hackers, snoopers and spies.

The global ramifications of this initial revelation have not really started yet. I have already seen questions about if this is what Google, Yahoo and, Microsoft do, what does Cisco and Juniper do? Do they spy on China and every other country for the NSA and USA Gov? They run much of China's telecommunications infrastructure; it is therefore right for people to assume that they have followed the American model that American Technology companies are an extension of the American state and are using their technology to send everything back to America.

As I know many of you know Huawei were investigated by the American Congress and we were given a "clean bill of health". Well as journalists and analysts said "lots of ifs buts and maybe's but no evidence of wrongdoing", or my favourite "a report for vegetarians, no meat", so in my definition no evidence of wrongdoing is a clean bill of health. Based on this lack of evidence of any wrongdoing, the American Congress said that Huawei should not be allowed into America, so based on all of these revelations, and there will be many more on America, should all other Governments ban American technology companies, especially Cisco and Juniper given their position in critical infrastructures?

We believe that the world is a better place for open and free trade. We believe that no country wins if it introduces arbitrary trade barriers under the banner of national security. Trade and competition drives innovation and innovation creates value for everyone – America should open up its telecommunications market to Chinese companies as China does for American technology companies – there really are no excuses.

15/05/2013

Thank you all for your feedback on my previous posts – LinkedIn is a marvellous email system. Let me summarise as best as I can the comments. First of all there were those of you who said I am a crazy man and need locking up for suggesting such terrible things; then there were the group of you who said I was an idiot for not recognising how far America had really gone and that "I don't know the half of it". Some of you were kind enough to send me copies of competitors sales manuals, one a particular favourite with a title that says is all "piranha" – all the things you should say to stop Huawei winning business, and another document from another competitor who detailed why customers should never buy Huawei equipment because someone had found a vulnerability, I had seen that one before. Some said China must stop being bad and a similar number said America should stop shouting. So it is good to see that I am creating a consensus.

So what should we do? At some point the world is going to have to work together. It is going to recognise that all of us have a role to play in reducing this threat:

Governments have a role to demand better security from their vendor's products. If a vendor's biggest customer never asks for security or what they ask for is weak and feeble, that is what they will get.

Vendor's have to demand more. What does good look like? What are the standards? At the moment the problem with standards is that they are not standard. There are a plethora of overlapping standards, few standards have any sensible measures of success and they are not always accepted around the world.

Shareholders must demand more. The Mandiant report could have gone further, was there any material loss? I am assuming no as the Boards would have stopped the work, unless of course you had replaced your sensitive material; Mandiant could have detailed what was it that caused the breach and did all of their customers execute best practice; they could have also been their own masters, to omit other countries who were up to no good politicises a report and gives those that need to change their behaviour a cop-out.

Boards must demand more. My insurance won't pay out if my car is stolen because I leave the keys "unsafe"; my bank won't pay-out if I don't take care of my pin – these are seen as stupid actions. We must recognise not patching has the same impact, not adopting the top 4, or 20 or 35 mitigating actions is just stupid. Verizon say 85% of the breaches could have been stopped if we did the basics, yet we don't. Do not get me wrong – theft is theft and it should not be condoned, but we also have a personal responsibility in technology as we do in other walks of life.

Technology is not going to get simpler; the challenges are not going to get simpler so we need to think differently, how about:

All countries allow sensors to be placed on entry and exit points of their networks so we can track and trace and begin to fix the attribution issue;

If a country such as America has technical gubbins that can detect, deflect or stop malicious activity let's share it, all of us share our knowledge to reduce the threat

Why don't all technology vendor's (who after all have caused the problem) put a percentage of their revenue into an R&D pot solely for the use of defensive technologies

Let's forget personal privacy (eeck I sense a deluge of emails), the reality is if you are online you must be known and data will be shared for the purposes of crime prevention and detection

We should all be worried where you are seeing more and more countries suggesting they give their intelligence or law enforcement agencies the ability to penetrate, attack or disrupt technology in other countries – where will this end? Whilst many of us accept the www is a bit of a wild west this potential move by Nation States takes us to a place where there are only losers. We need to agree a moral, and legal, line in the digital sand that we should not cross. In this context the creators of Stuxnet did us no favours as in some people's minds it legitimised the use of offensive cyber activity – if it is right for you, you cannot complain if I adopt a similar behaviour.

You will have your own thoughts and ideas. We need to see leadership around the world of people who want to collaborate, who want to work on solutions and who want to take a long term strategic view whilst doing practical things to improve the situation today. In this context the talks between America and China are a good first step which we should all applaud and support.